Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

An attack against 64bit block ciphers was published today called Sweet32. The attack is a birthday attack which has been well known and understood for many years but was impractical. This attack has now been proven practical. Full details are available here: http://sweet32.info

It affects only 64bit ciphers (and lower) such as Blowfish and TripleDES (3DES). A number of requirements must be met for a successful attack:

1. A 64bit cipher must be available for the server to use in a TLS connection.

This requires that 3DES is configured on the web server.

2. A TLS connection must be kept alive (to prevent rekeying) so the attacker can gather around 800Gb of traffic.

This requires a "man in the browser" attack and that the server keeps the TLS connection open for the required number of requests and responses.

3. Some plaintext of the encrypted message is known

The name of an authentication token for example.

4. Some content of the message is fixed and sent repeatedly

The value of an authentication token for example.

At present RedShield's assessment of Sweet32 is that it is a medium level risk due to the requirements for a successful attack.

RedShield is currently actioning the following to mitigate the vulnerability:

- deprecating 3DES dependent on client browser support requirements. Any urgent requests to remove 3DES support can be actioned by raising a ticket.

- limiting the amount of data that can be transferred in one TLS connection before rekeying